The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Tuesday, 10 November 2015
IRANIAN CYBERSPY GROUP HIT IN COORDINATED EUROPEAN RAIDS
FROM THE MEDIA
Authorities have targeted the hacker group “Rocket Kitten,” believed to be linked to Iran’s Revolutionary Guard. The group has attacked high-profile military and political targets worldwide. Security firm Check Point discovered the espionage campaign, noting that Rocket Kitten has targeted NATO officials, Israeli nuclear scientists and Saudi royal family members.
Read the Story: Reuters
iSIGHT PARTNERS ANALYST COMMENT
The campaign referenced in this article refers to cyber espionage activity that iSIGHT Partners tracks as TEMP.Beanie. This group has focused operations against individuals in the defense, policy and academia sectors in the Middle East and has displayed extreme persistence and extensive reconnaissance efforts on targets of interest. Notable tactics include spear phishing, telephone calls, text messages and use of social networks to build rapport and steal user credentials. Given TEMP.Beanie’s historical targeting activities, we believe the group could be associated with Iranian security services such as the Ministry of Intelligence and Security or the Revolutionary Guards; however, no significant evidence implicates a specific organization at this time.
RELATED iSIGHT PARTNERS REPORTS
15-00006468 (TEMP.Beanie Expanded Targeted Scope), 23 July 2015
15-00009388 (New TEMP.Beanie Infrastructure), 9 Sept. 2015
Intel-1278296 (Newscaster Leverages LinkedIn) 9 Nov. 2014
PATCH NOW: 21 NEW VULNERABILITIES AFFECT SAP HANA SERVICES
FROM THE MEDIA
Security vendor Onapsis has announced the discovery of 21 vulnerabilities affecting SAP HANA, an in-memory computing platform used by enterprises worldwide. Onapsis noted that 87 percent of the Forbes Global 2000 firms run SAP, and 74 percent of the world’s transaction revenue deals with SAP systems.
Read the Story: Forbes
iSIGHT PARTNERS ANALYST COMMENT
Based on our analysis of the recently disclosed SAP vulnerabilities, we consider the most significant flaws to be medium-risk. Further, while SAP services do provide a potential exploitation target for attackers, our historical exploitation observations suggest that attackers are significantly more likely to target vulnerabilities affecting common applications, such as Flash or Java. While we consider Onapsis a legitimate authority on SAP security, as that is their focus, we also believe that Onapsis has reason to embellish both risks and threats to SAP systems.
RELATED iSIGHT PARTNERS REPORTS
15-00012400 (SAP HANA DB 1.00 TrexNet Authentication Issues Vulnerability), 9 Nov. 2015
15-00012406 (SAP HANA DB 1.00.73 Buffer Errors Vulnerability), 9 Nov. 2015
15-00012398 (SAP HANA DB 1.00.73 SQL Interface Unspecified Vulnerability), 9 Nov. 2015
BADLY CODED RANSOMWARE LOCKS AWAY DATA FOREVER
FROM THE MEDIA
Mistakes in the Power Worm virus’s encryption program coding can result in victims’ encrypted data being lost indefinitely. Power Worm is ransomware that infects Excel and Word files and, as of recently, other types of files stored on a victims’ machine. The ransomware’s recent update not only allowed it to seek out an expanded list of targeted files; it also eliminated the creation of a decryption key when a computer is infected.
Read the Story: BBC
iSIGHT PARTNERS ANALYST COMMENT
The threat from this ransomware is unclear because it is unknown how widely Power Worm is being distributed and the implied operational immaturity of this actor due to a lack of a decryption key. However, its capabilities appear largely unremarkable compared to those of other ransomware available in underground forums (other than the alleged lack of a decryption key). As the majority of malware spreads via spam messages and exploit kits, users should be wary of messages from unfamiliar e-mail addresses, especially those containing attachments.
RELATED iSIGHT PARTNERS REPORTS
15-00007094 (Overview of Ransomware History and Current Trends), 27 July 2015
15-00010230 (Overview of Cyber Crime Products for Sale in 2015), 29 Sept. 2015
15-00010740 (ORX-Locker: Ransomware-as-a-Service Offerings Uniquely Poised to Capitalize on Underground Marketplace Economy), 14 Oct. 2015
COMCAST RESETS NEARLY 200,000 PASSWORDS AFTER CUSTOMER LIST GOES ON SALE
FROM THE MEDIA
A list of 590,000 Comcast e-mail addresses and related passwords was offered for sale in an underground marketplace. Of the total number of account details, about 200,000 were found to have been legitimate. As a result, Comcast ordered a password reset and indicated that no other systems were affected.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
Account credentials are ubiquitous on underground forums; thousands of username and password combinations are available from numerous vendors. Some malicious actors, to sell to security researchers, may make claims on forums in which security organizations are known to have a presence. Whereas most malicious actors will not buy credentials if they seem fake or outdated, corporate entities are willing to purchase them in the off chance that the credentials are active.
RELATED iSIGHT PARTNERS REPORTS
15-00011574 (600 Electronic Arts Account Credentials Leaked; Likely Compromised with Brute-Forcing Tool), 21 Oct. 2015
15-00008770 (Data Loss Prevention (DLP) Software Effectiveness and Best Practices), 30 Sept. 2015
15-00006858 (Cyber Criminal Theft and Exploitation of Databases: Targeted Data, Targeted Industries and Malicious Uses), 11 Aug. 2015
ISIS SUPPORTER CYBER CALIPHATE TAKES OVER 54,000 TWITTER ACCOUNTS
FROM THE MEDIA
ISIS sympathizers have hijacked over 54,000 Twitter accounts in response to a drone strike that killed an ISIS member. The Twitter hijacking attack, dubbed, #cybercaliphate, is working to take over accounts and spread propaganda in support of ISIS. The attack has only affected Twitter accounts and also resulted in the exposure of telephone numbers, passwords and other information of FBI, NSA and CIA members.
Read the Story: ZDNet
iSIGHT PARTNERS ANALYST COMMENT
We did not observe ICA targeting the CIA or the FBI or leaking Twitter credentials in association with the #IranUnderHacks campaign, which is only the latest in a series of Islamic Cyber Army (ICA) operations. iSIGHT Partners noted in September that one ICA member was using the name “CyberCaliphate.” In June 2015, we assessed with moderate confidence that the group CyberCaliphate is a false front for activity conducted by Russian actors. Clear differences in TTPs, sophistication and motivations between this CyberCaliphate and the ICA member suggest that the ICA actor is not connected to the Russia-linked group of the same name.
RELATED iSIGHT PARTNERS REPORTS
15-00009384 (ICA Member Using ‘CyberCaliphate’ Pseudonym), 23 Sept. 2015
15-00005278 (CyberCaliphate Group False Front for Russian Actors), 24 June 2015
15-00010382 (ICA Claimed Compromise of Twitter Credentials During #SaudiUnderHacks), 30 Sept. 2015
The post ThreatScape Media Highlights Update – Week Of November 10th appeared first on iSIGHT Partners.
